[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LDAP ISSUE
Steve Hanna wrote:
>
> Actually, there is a good reason for the position of the LDAP
> group on this issue.
>
> The reason that new keywords for attribute types in X.500 DNs
> cannot be sent on the wire in LDAP protocol messages is that
> old LDAP servers won't know what the new keywords mean.
Steve
we have two cases here.
i) a new attribute is defined along with a new string keyword.
-- this wont cause a problem because the old server wont have any
entries with that name and will return an error message to the client
ii) an old server does have entries with that name but is used to seeing
OIDs in the request, and the clients that go with it also send the OIDs
(they cant do otherwise). Then the string name (which is already defined
anyway and known about, because the client can use it when asking for
the attribute) is defined for use in DNs as well. There will be a
migration problem only if the clients start to use the string keyword
before the server. Therefore once the keyword is defined in an Internet
draft, servers should be configured to start to expect it.
> For
> user input and output, new keywords can be added. But you
> can't expect existing LDAP servers to automagically understand
> what a new keyword means when they see it on the wire. OIDs
> are the best way to handle this.
Actually OIDs are the best alround, and keywords should never have been
defined! But given that they are, we should be consistent in their
application, and not require keywords for some things and OIDs for
others, within the same protocol item (a DN)
>
> Also, this is not a new position. RFC 1779 (for LDAPv2)
> allowed new keywords and defined an IANA registry. But no
> new keywords were ever defined. I suspect that people
> realized the problems that would ensue.
No, I think it was because everyone built their DITs using only the
keywords defined. But now PKIX has defined some new attributes for use
in DNs, and therefore the keywords for these should also be supported.
David
>RFC 2253 (for LDAPv3)
> does not allow new keywords. And the revised version of 2253
> (draft-ietf-ldapbis-dn-07.txt) also does not.
>
> Steve
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
IS Institute, University of Salford, Salford M5 4WT
Tel: +44 161 295 5351 Fax +44 01484 532930
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxxxxx
Home Page: http://www.salford.ac.uk/its024/chadwick.htm
Research Projects: http://sec.isi.salford.ac.uk
Understanding X.500: http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
begin:vcard
n:Chadwick;David
tel;cell:+44 77 96 44 7184
tel;fax:+44 1484 532930
tel;home:+44 1484 352238
tel;work:+44 161 295 5351
x-mozilla-html:FALSE
url:http://www.salford.ac.uk/its024/chadwick.htm
org:University of Salford;IS Institute
version:2.1
email;internet:d.w.chadwick@xxxxxxxxxxxxx
title:Professor of Information Security
adr;quoted-printable:;;The Crescent=0D=0A;Salford;Greater Manchester;M5 4WT;England
note;quoted-printable:Research Projects: http://sec.isi.salford.ac.uk.......................=0D=0A=0D=0AUnderstanding X.500: http://www.salford.ac.uk/its024/X500.htm .......................=0D=0A=0D=0AX.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm...................=0D=0A=0D=0AEntrust key validation string: CJ94-LKWD-BSXB ...........=0D=0A=0D=0APGP Key ID is 0xBC238DE5
x-mozilla-cpt:;-4856
fn:David Chadwick
end:vcard